Enterprise Insights

Blog archive

Despite Growing Interest, Encryption Remains Small Part of IT Budgets

In a new report, 2010 Annual Study: U.S. Enterprise Encryption Trends, 964 U.S. business and IT managers reveal their current and future needs, how they’re using encryption, and how encryption fits into their overall enterprise data protection strategies. Sponsored by Symantec and conducted by The Ponemon Institute, the report makes clear that compliance with data protection and privacy regulations is the top factor driving implementation of encryption technologies, displacing last year’s winner, data breach mitigation.

Among the key regulations are HIPAA and state privacy laws (including regulations in Massachusetts and California); Sarbanes-Oxley and Graham-Leach-Bliley regulations are less important, the respondents noted. PCI requirements grew the fastest on the list of drivers: 15 percent said PCI was an important driver in 2007 compared to 64 percent who are concerned about PCI today. This may not come as a surprise to anyone; if an enterprise fails to comply it can’t conduct online credit card transactions.

Protection from malicious cyberattacks -- including malware, spyware, viruses, and Trojans -- was cited as the top “overall enterprise data protection priority” in the report; protecting data at rest dropped to second place. Also high on the list was data protection; 93 percent said it’s important or very important in managing risk.

If only enterprises devoted a bigger part of their budget to encryption. The technology isn’t quite getting the attention of IT managers -- it doesn’t earn “earmark” status; perimeter controls such as intrusion detection and prevention systems were the more important technologies to which IT specifically allocated funds. Anti-virus and spyware tools were also popular budget items, as were identity and access management. In fact, data protection as a whole is just a small part of IT’s budget: only 8 percent of respondents said that encryption solutions made up at least 20 percent of their IT spending.

When it comes to encryption, a “platform-based approach to managing encryption solutions and encryption key management are still not common industry practices,” the report notes, but there’s some good news: it’s growing in popularity and gaining respect.

With data cyberattacks and IT implementation challenges at an all-time high, the report acknowledges the tough choices IT must make in the face of shrinking budgets and breaches that averaged $6.75 million per breach and $200 per compromised record to pay for “detection, response, notification, and lost business.” Breaches are becoming more common: 88 percent of organizations had experienced at least one data breach compared to 85 percent in 2009. Among those experiencing a breach, nearly a quarter (23 percent) suffered a single breach, and 40 percent had to handle between two and five breaches. That’s not a pretty picture.

The report can be downloaded at no cost; registration is required, however.

--James E. Powell
Editorial Director, Enterprise Strategies

Posted on 12/07/2010 at 11:53 AM